There are several areas of a network in a secure environment; the most common
are the inside, the outside, and the DMZ firewalls that help divide and control
traffic between them. Cisco has designed the PIX series of firewalls to be the
primary devices for performing these functions. This chapter covers the basics
of the PIX firewall areas that connect to the firewallthe trusted,
untrusted, and DMZ.

Trusted, Untrusted, and DMZ Defined

The PIX firewall always contains trusted and untrusted areas that are used to
identify the types of areas around the firewall. Firewalls with more than two
interfaces can contain areas called DMZs. These areas are created to support
servers that need to be accessed from an untrusted area without compromising the
trusted locations. This section covers each in more detail.

Trusted

The term trusted is used to refer to users and computers that are in
an area considered more secure or protected. This area is typically a private
section of the network that needs to be protected against malicious hackers and
other security threats. Security in the trusted area is established by blocking
all traffic from less trusted sections of the firewall.

Untrusted

The term untrusted defines areas of the network that might contain
malicious hackers or other security threats. One good example of an untrusted
area is the Internet side of your firewall or even segments of your own internal
network that are exposed to unknown access. Such an area could be a segment
exposed to outside usefor example, kiosk computers on a storeroom
floor.

DMZ

The demilitarized zone (DMZ) sits between both trusted and untrusted
areas and usually hosts computers that need to be available to users from both
of these areas. For example, a Web server in the DMZ can be accessed by people
on the Internet, which is untrusted, as well as by users in the private trusted
network. From the perspective of the inside, private, and trusted portion of
your network, the DMZ area is considered untrusted, so traffic initiated from
computers in the DMZ is blocked.